How can I compare the contents of a volume at two points in time?

I have a 2003 Small Business .Sserver hard drive data partition that has recently started filling up at an unreasonable rate. I have used every tool available to me to search for a virus or other malware and nothing was detected.
I have questioned my client and they say they have not uploaded any unusual amount of data such as pictures, audio, scans, etc.
I need a program that can take a snapshot of all the files and their sizes at two points in time so I can compare to find out specifically what is increasing in size.
Any Ideas?

You can try the forensic tool kit from Access Data. You can make a forensic image and compare hash values to see.

When you scan the hard drive for a virus do you install the software on the computer and scan or do you slave the hard drive to another computer and scan. I have had a lot of luck slaving a computer to scan for viruses instead of installing and scanning on the computer in question.

ChopOMatic: Thanks, but I need to compare the smae data set at two different points in time, not against similar files at one point in time.
racasttillojr: forensic tool kit from Access Data sounds like a little overkill and an expensive one at that.
There must be a program that can take "snapshots" of a volume like before and after an event and give me a listing of what changed.

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Use a program which will generate hashes for each file on the volume, pumping them to a text file. That's your inital "snapshot".
After your desired interval, do the same again, to another text file. (you might wish to repeat this last step at intervals to give a view over time).

You might then use a utility to compre those two texts files; much easier and quicker than trying to directly compare all "before" files against all "after" files. Quite a few of these file compare programs exist, so I'll only recommend one if you didn't like those suggested already, and express an interest in my opinion.

The above three-step process will help you determine which file(s) are changing; that allows you to focus on those files only. You can then use a utility to see what process(es) are using the file. I'll suggest Process Monitor here, from Microsoft - http://technet.microsoft.com/en-us/sysinternals/bb896645 - because whilst I know you can do it with Windows itself, it's very tricky, and this tool is now owned by the same manufacturer as your operating system.

Hopefully, if finding out which files are involved doesn't immediately tip you off to what's happening, process monitor will show you what's accessing the files, and what username is running that process.

Actually the ideal case is to do a check balance against a pristine image but this image also has to be updated regularly after each Windows update, AV update, patched pushdown etc. This is to minimize the false positive as normally such difference can be alot though - almost like searching needle in haystack unless we shrink it into a suspected period of compromise.

Normally you will be looking at Host integrity checks (sort of "Tripwire" like). In short, it has a "baseline", that is, a reference point against which future states of the system will be compared, must be created before deployment. Moreover, the baseline must be stored outside the host, or on read-only media (whose writability is not toggle-able via software). You would check out

I also looked at it as anomaly detection where the error audit logs are checked as they are indicator of intrusion etc. E.g there can be attempts of brute force of account, port knocking etc. You can check out this article for a quick understanding

If a rootkit is really installed, it is tough to even reveal the "real" processes as this culprit is going to hide all the views and checks at kernel level. So instead of doing a image comparison, you can do it like RootkitRevealer style - snapshot the key resources and do a comparison on those common vulnerable area that malware will exploit and plant their traces. Microsoft also recently released a Attack Surface Analyzer which can be useful to highlight anomaly to kick start the checks.

Solid State Drive Performance Tips:
Solid state storage technology is now a standard. After testing and using several different brands and revisions of SSD's over the years I have put together a collection of tips,tools and suggestions that I ha…

This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target.
To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting.
This w…